Enterprise Architecture Cloud Delivery Model - CCM Mapping

The Enterprise Architecture working group has been developing a Cloud Service Delivery Model mapping which aims to give businesses who are building out their cloud program an inside look into roles and responsibilities when it comes to IaaS, PaaS, and SaaS and specific areas within each.

This phased approach that links directly from the Cloud Controls Matrix (CCM), gives a quick glance and delivery model for identifying key areas within a business and determining whether they are the responsibility of the vendor or the cloud consumer.

Helps eliminate assumptions when migrating to the cloud

The best part of direct mappings like this built from the Cloud Controls Matrix, is the immense support it can generate for companies who may not quite understand the different complex areas of switching to a cloud environment. It makes it so there are never any assumptions on who within the business, or outside of the business, is responsible for certain delivery methods. Often roles and responsibilities become a blurred line when dealing with SLA’s when venturing into the cloud, and the Enterprise Architecture working group is addressing these areas by eliminating the confusion within the realms of IaaS, PaaS, and SaaS developments. These three areas map directly to the Cloud Control Matrix’s 16 current domains for full coverage.

How the mapping works

To give a quick overview of how this mapping will work, we will look at the first category of the CCM mapping portion, which in this case would be Application & Interface Security (AIS-01 Control ID from the CCM). The environment of choice would then be chosen; for instance, SaaS is going to act as our delivery method. We then cross-reference a table with a category of either CSP (Cloud Service Provider) or CSC (Cloud Service Consumer). For this case, there is a “1” annotating “yes” under CSP, and a “0” under CSC annotating a “no” response. These answers lead us to the sole responsibility for this deployment instance. Because application and programming interfaces are designed, developed, deployed, and tested by the vendor for SaaS, the security is ultimately agreed upon that it is the service provider's responsibility.

Provides a full circle approach

It may seem like a simplistic approach, but it is one that needs to be provided to consumers and businesses to really begin a course of action into adopting policy and structure for ownership responsibilities within the cloud. This EA delivery model, combined with other CSA items such as the CAIQ and the Cloud Controls Matrix, can develop a full circle approach to diving into the cloud and beginning to understand the approaches that are needed to become successful in understanding the knowledge surrounding it.

More easily put:

1. The CAIQ would be the questions used to ask a vendor about specific items that a business may need to suffice a request for a service
2. The CCM would then be used to assess the risk associated with cloud delivery models.
3. Lastly the EA quick guide mapping would identify the roles and ownership capabilities.

Being able to reference architecture such as this cloud delivery model can allow for a baseline internally and give consumers the peace of mind that they are taking the correct approach.

Learn more about the latest projects from Enterprise Architecture working group here.